<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/all.min.css" integrity="sha256-mUZM63G8m73Mcidfrv5E+Y61y7a12O5mW4ezU3bxqW4=" crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/animate.css@3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">

<script class="next-config" data-name="main" type="application/json">{"hostname":"anynone.gitee.io","root":"/","images":"/images","scheme":"Pisces","darkmode":true,"version":"8.7.1","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12},"copycode":false,"bookmark":{"enable":false,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果：${query}","hits_time":"找到 ${hits} 个搜索结果（用时 ${time} 毫秒）","hits":"找到 ${hits} 个搜索结果"}}</script><script src="/js/config.js"></script>
<meta name="description" content="之前遇到了docker绑定本地端口后通过iptables INPUT 链无法禁用绑定端口访问的问题，刚好深夜醒了睡不着，写篇日志助眠 顺便说下，我的局域网ip是 192.168.31.105  临时创建nginx端口映射，建立容器，绑定本地端口80  1sudo docker run --rm -p 8081:80  -it nginx  试下访问本机8081端口尝试是可以通的  REJECT掉I">
<meta property="og:type" content="article">
<meta property="og:title" content="禁用docker开放的端口">
<meta property="og:url" content="https://anynone.gitee.io/2022/01/01/docker-reject-bind-port/index.html">
<meta property="og:site_name" content="anynone">
<meta property="og:description" content="之前遇到了docker绑定本地端口后通过iptables INPUT 链无法禁用绑定端口访问的问题，刚好深夜醒了睡不着，写篇日志助眠 顺便说下，我的局域网ip是 192.168.31.105  临时创建nginx端口映射，建立容器，绑定本地端口80  1sudo docker run --rm -p 8081:80  -it nginx  试下访问本机8081端口尝试是可以通的  REJECT掉I">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://anynone.gitee.io/images/docker-reject-port/1.jpg">
<meta property="og:image" content="https://anynone.gitee.io/images/docker-reject-port/what.gif">
<meta property="og:image" content="https://anynone.gitee.io/images/docker-reject-port/2.jpg">
<meta property="og:image" content="https://anynone.gitee.io/images/docker-reject-port/3.jpg">
<meta property="og:image" content="https://anynone.gitee.io/images/docker-reject-port/4.jpg">
<meta property="og:image" content="https://anynone.gitee.io/images/docker-reject-port/5.jpg">
<meta property="article:published_time" content="2021-12-31T19:21:37.000Z">
<meta property="article:modified_time" content="2022-09-09T00:09:56.415Z">
<meta property="article:author" content="山丘之王">
<meta property="article:tag" content="docker端口禁用,iptables">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://anynone.gitee.io/images/docker-reject-port/1.jpg">


<link rel="canonical" href="https://anynone.gitee.io/2022/01/01/docker-reject-bind-port/">



<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"zh-CN","comments":true,"permalink":"https://anynone.gitee.io/2022/01/01/docker-reject-bind-port/","path":"2022/01/01/docker-reject-bind-port/","title":"禁用docker开放的端口"}</script>

<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>禁用docker开放的端口 | anynone</title>
  




  <noscript>
    <link rel="stylesheet" href="/css/noscript.css">
  </noscript>
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <h1 class="site-title">anynone</h1>
      <i class="logo-line"></i>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu">
        <li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a></li>
  </ul>
</nav>




</div>
        
  
  <div class="toggle sidebar-toggle" role="button">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>

  <aside class="sidebar">

    <div class="sidebar-inner sidebar-overview-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <img src="/images/head.jpg">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author site-overview-item animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">山丘之王</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap site-overview-item animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
        <a href="/archives/">
          <span class="site-state-item-count">22</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-tags">
        <span class="site-state-item-count">15</span>
        <span class="site-state-item-name">标签</span>
      </div>
  </nav>
</div>
  <div class="links-of-author site-overview-item animated">
      <span class="links-of-author-item">
        <a href="https://github.com/anynone" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;anynone" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>



        </div>
      </div>
    </div>
  </aside>
  <div class="sidebar-dimmer"></div>


    </header>

    
  <div class="back-to-top" role="button" aria-label="返回顶部">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>


    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://anynone.gitee.io/2022/01/01/docker-reject-bind-port/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="山丘之王">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="anynone">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          禁用docker开放的端口
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">发表于</span>

      <time title="创建时间：2022-01-01 03:21:37" itemprop="dateCreated datePublished" datetime="2022-01-01T03:21:37+08:00">2022-01-01</time>
    </span>
      <span class="post-meta-item">
        <span class="post-meta-item-icon">
          <i class="far fa-calendar-check"></i>
        </span>
        <span class="post-meta-item-text">更新于</span>
        <time title="修改时间：2022-09-09 08:09:56" itemprop="dateModified" datetime="2022-09-09T08:09:56+08:00">2022-09-09</time>
      </span>

  
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">
        <p>之前遇到了docker绑定本地端口后通过iptables INPUT 链无法禁用绑定端口访问的问题，刚好深夜醒了睡不着，写篇日志助眠</p>
<p>顺便说下，我的局域网ip是 <code>192.168.31.105</code></p>
<ol>
<li>临时创建nginx端口映射，建立容器，绑定本地端口80</li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo docker run --rm -p 8081:80  -it nginx</span><br></pre></td></tr></table></figure>

<p><span style="color:red;">试下访问本机8081端口尝试是可以通的</span><br><img src="/images/docker-reject-port/1.jpg" alt="1" style="zoom:67%;margin-left:0px;" /></p>
<ol start="2">
<li>REJECT掉INPUT链的8081端口访问</li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">iptables -I INPUT -p tcp --dport 8081 -j REJECT</span><br></pre></td></tr></table></figure>

<p><span style="color:red;">再次试下访问本机8081端口，<span style="color:green;">还是可以通的</span></span></p>
<img src="/images/docker-reject-port/what.gif" alt="what" style="zoom:80%;margin-left:0px;" />

<p>问题如上！！！！！！！</p>
<p>解决方式也很简单，只需要RETURN掉 DOCKER链的对应端口请求，命令如下</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">iptables -t nat -I DOCKER &lt;要RETURN掉的行号&gt; ! -i &lt;DOCKER网卡名称&gt; -p tcp -m tcp --dport &lt;宿主机端口号&gt; -j RETURN</span><br></pre></td></tr></table></figure>

<blockquote>
<p>查询行号和网卡名称</p>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">iptables -t nat -nvL DOCKER --line-number</span><br></pre></td></tr></table></figure>

<p><img src="/images/docker-reject-port/2.jpg" alt="2"></p>
<blockquote>
<p>对应RETURN DOCKER链的规则</p>
</blockquote>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">iptables -t nat -I DOCKER 2 ! -i docker0 -p tcp -m tcp --dport 8081 -j RETURN</span><br></pre></td></tr></table></figure>

<p>RETURN后进入INPUT链，由于之前INPUT 链禁用了8081端口，请求被丢弃</p>
<img src="/images/docker-reject-port/3.jpg" alt="3" style="zoom:67%;margin-left:0px;" />



<p>到此，问题解决了，其实倒也不是什么疑难问题，主要是一般请求都会走INPUT链，通过INPUT链禁用本机端口习惯了。而安装docker后，docker容器的请求在prerouting阶段转发到DOCKER链，之后转发到容器ip。如下图，docker容器启动后必然会在iptables增加如下规则：</p>
<img src="/images/docker-reject-port/4.jpg" alt="4" style="zoom:80%;margin-left:0px;" />

<p>请求被转发到DOCKER链，之后转发到容器ip，根本没走IPNUT链</p>
<img src="/images/docker-reject-port/5.jpg" alt="5" style="zoom:150%;margin-left:0px;" />

    </div>

    
    
    

    <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/docker%E7%AB%AF%E5%8F%A3%E7%A6%81%E7%94%A8-iptables/" rel="tag"># docker端口禁用,iptables</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/2021/12/22/php-ext-dev-1/" rel="prev" title="php扩展开发（一）">
                  <i class="fa fa-chevron-left"></i> php扩展开发（一）
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/2022/03/31/linux-ununual-command/" rel="next" title="linux常用命令----mount和umount设备挂载">
                  linux常用命令----mount和umount设备挂载 <i class="fa fa-chevron-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>






</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">


<div class="copyright">
  &copy; 2021 – 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">山丘之王</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/pisces/" rel="noopener" target="_blank">NexT.Pisces</a> 强力驱动
  </div>

    </div>
  </footer>

  
  <script src="https://cdn.jsdelivr.net/npm/animejs@3.2.1/lib/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous"></script>
<script src="/js/comments.js"></script><script src="/js/utils.js"></script><script src="/js/motion.js"></script><script src="/js/next-boot.js"></script>

  





  





</body>
</html>
